Researchers from cybersecurity firm Avast have uncovered a critical flaw in the cryptographic mechanism of the notorious DoNex ransomware and its predecessors. This discovery has allowed Avast, in collaboration with law enforcement organizations, to silently provide decryptors to victims of DoNex ransomware since March 2024.

The cryptographic weakness was publicly revealed at the Recon 2024 conference, Avast said, adding that it doesn’t have a reason to keep the flaw secret.

DoNex, which has undergone several rebrandings, first emerged under the name Muse in April 2022. Since then, the ransomware evolved through multiple iterations, including fake LockBit 3.0 and DarkTrace, culminating in the final version known as DoNex.

However, since April 2024, no new samples of DoNex have been detected, and its associated TOR site has been offline, indicating a potential halt in its evolution and operations. DoNex has been known for its targeted attacks, primarily affecting victims in the United States, Italy, and Belgium.